Installing Root Certificates

If you’re taking your advanced home server to new levels that require you to implement security and encryption technology such as HTTPS or SSL oriented VPNs, you will be introduced to a lot of obscure concepts that you now need to know more about. Some of them involve certificates. A certificate is basically just a little file that is used for identification and encryption. If you choose to build your own security, you will need to become handy and exportingand importingroot certificates into your servers and personal computers.

Most normal and happy people have no idea about root certificates and they live long and productive lives without ever caring about them. With a little effort, you will remain normal and happy, but know a little more than you did yesterday.

Your computer and browser already have a long list of root certificates installed.They are a standard feature. Root certificates are issued by Certificate Authorities to validate the authenticity of certificates issued by them to others. GoDaddy and Comodo provide this service, among others. When you use HTTPS from Amazon, a root certificate validates it’s really Amazon you’re talking to. Amazon uses an SSL certificate to encrypt the communication, and the root certificate validates the SSL certificate was issued by the Certificate Authority and it’s really Amazon.

You will only be concerned with the one you make or the one Windows Server 2012 makes for you. Windows Server 2012 Essentials, by default, installs Active Directory and a long list of other roles and features, including Active Directory Certificate Services (AD CS). If you install Windows Server 2012 Essentials, it automatically makes your server’s root certificate as a standard part of the installation process. Other versions of Windows Server 2012 install no roles by default. All trusted root certificate stores on client computers that are made a part of the domain will automatically receive copies of the root certificate installed on the server. All you need to be concerned with are workstations that are not in the domain and browsers that don’t use the computer’s certificate store.

Windows Server 2012 provides a utility from within IIS that quickly exports root certificates out of Windows Server and imports them into a certificate store of a client PC. If you use a client PC browser and call up page /certsrv from your URL, you’ll be greeted with a user id / password prompt from the server. Then you’ll be given the opportunity to download a CA certificate and either save it on the client or import it, all in one step. I would recommend you NOT use this feature. In most, if not all cases, it will import the root certificate into the personal certificate store and not the certificate store of the local machine. You’ll have to find it, export it, then import it into the trusted root certificate store of the local machine. Regardless, you’ll still have to import the root certificate manually into all browsers that don’t use the PC certificate store.

If you plan to use OpenSSL, you’ll make a root certificate that must be installed on the server and on each computer that will securely access your server.

You’ll first see how Microsoft provides flexible access to many aspects of your operating system using a tool called the Microsoft Management Console. Then you’ll see how to export and import certificates using the MMC. Finally, you’ll see how to import root certificates into Firefox.

The Microsoft Management Console (MMC) and Snap-Ins

Microsoft includes a flexible tool called the Microsoft Management Console (MMC) to manage many aspects of the operating system using snap-ins. A snap-in is a set of commands that are concerned with a major application. Some vendors also use the MMC as an interface into managing their applications. It’s easier to show it to you than explain it.

Run mmc.exe. It requires administrator level privileges. You’ll see an empty console. Click File. On the drop down menu click Add/Remove Snap-in.

###

You’ll see a list of all the snap-ins available to you. At this time, we’ll limit ourselves to Certificates, but feel free to build your own custom consoles later. An MMC console is just a container. If you build and save a custom console and later delete it, you’re only affecting the console. Not the snap-ins it contains.

Click Certificates. Add it to the selected snap-ins window.

###

Select Computer Account. Click Next.

###

Select Local computer. Click Finish.

###

You’ve made a custom MMC console. You can repeat the process and add as many snap-ins as you like. People commonly build custom consoles for a single purpose. When you’re done with your intended task and close the console, it will ask you if you want to save it or not. It’s common to answer No to avoid clutter.

###

Now, expand the Certificates (Local Computer) tree. It lists all the types of certificates that are possible to use. You’ll only be concerned with the Certificates folder under Trusted Root Certification Authorities today.

Exporting a Root Certificate

Now that you’ve created your console, export the root certificate from the computer its on so you can install it where it needs to be. When you export a certificate, you’re only making a copy for distribution. You’re not removing it. If you’re building a secure remote file access system such as WebDAV or an SSTP VPN, a root certificate is required for the client to connect. While root certificates from public Certificate Authorities are normally available for all and desirable to make as public as possible, you should keep your private root certificate private.

Select your root certificate. Then Right Click / All Tasks / Export.

###

From here on, you just follow the prompts.

###

Accept the defaults.

###

Decide where to save the file. Name it whatever you like.

###

Confirm and Finish.

###

Done.

Importing a Root Certificate

There are two ways to import your root certificate into the Trusted Root Certificate Store. This is the most reliable way. You can double click on the certificate file and be given an option to install the certificate. The wizard will decide the best place to put it or give you the option to install it where you like. There’s a good chance it will put it in the wrong place. You want to make sure it installs in the Trusted Root Certificate Store of the local machine, and not in your user store.

Thanks. Microsoft’s on line documentation has either too much or too little detail. None of what I have read (not lately so they might be better now) was written from the perspective of someone who has an actual task to complete. There are other sites with good information but you really have to hunt for them and sometimes they’re incomplete. Their TechNet forum is hit-or-miss. Sometimes you get good advice, sometimes you get a canned reply that answers a question that’s only similar to the one you asked. Many of the server books are too shallow to be useful but they do provide a good introduction to the screens and features.

There are some good places to look. I like Pluralsite videos a lot. Eli the computer guy also has some good free videos. Petri IT Knowledgebase has some good articles. And then, of course, YouTube had a video for anything you can imagine. I recently wired the first floor of my house with cat6 after watching a few videos there. I had no idea how to do it beforehand. (I replaced existing media and phone outlets with keystone technology – no new holes in the wall were needed.)

You talk about Windows Server 2012 Essentials in your opening remarks, but then proceed to provide instructions related to Advanced Home Server. The certificate for that doesn’t exist on my server so I’m lost as to which certificate to export. I’m hoping to avoid buying an SSL certificate from GoDaddy. Any help would be appreciated.

Read the article again and maybe another time later. The links in it refer to certificates and how to make your own. If you make your own, it implies you are only proving who you are to yourself. This includes an employee or family environment. For most people, this is all you need. If you need to prove to third parties who you are, then you will need to purchase a suitable certificate. The issuer vouches that you are who your web site claims you are.

Several articles here tell much about certificates and how to use them. Spend some time with them. The concept can be complicated as it does not relate to what people normally deal with day to day. It took me a long time to break it down.

Thanks. My goal was to write something more readable than what I learned from. Step by step with pictures seemed to be a good approach.

BTW, I’m a retired CPA. I just set my license to inactive. Taxes, to me, are really hard. I really liked them at one point until I noticed they change every year and logic is not a tool that makes it easier. I decided to step aside long ago so someone like you could have my share.